Add support in tlsalpn provider

Author: jsumners

challenge/tlsalpn01/tls_alpn_challenge_server.go

@@ -11,6 +11,14 @@ import (
 	"github.com/go-acme/lego/v4/log"
 )
 
+type ProviderNetwork string
+
+const (
+	DefaultNetwork = "tcp"
+	Tcp4Network    = "tcp4"
+	Tcp6Network    = "tcp6"
+)
+
 const (
 	// ACMETLS1Protocol is the ALPN Protocol ID for the ACME-TLS/1 Protocol.
 	ACMETLS1Protocol = "acme-tls/1"
@@ -26,14 +34,23 @@ const (
 type ProviderServer struct {
 	iface    string
 	port     string
+	network  string
 	listener net.Listener
 }
 
 // NewProviderServer creates a new ProviderServer on the selected interface and port.
 // Setting iface and / or port to an empty string will make the server fall back to
 // the "any" interface and port 443 respectively.
-func NewProviderServer(iface, port string) *ProviderServer {
-	return &ProviderServer{iface: iface, port: port}
+func NewProviderServer(iface, port string, network ProviderNetwork) *ProviderServer {
+	if port == "" {
+		port = defaultTLSPort
+	}
+	
+	if network == "" {
+		network = DefaultNetwork
+	}
+
+	return &ProviderServer{iface: iface, port: port, network: string(network)}
 }
 
 func (s *ProviderServer) GetAddress() string {
@@ -65,7 +82,7 @@ func (s *ProviderServer) Present(domain, token, keyAuth string) error {
 	tlsConf.NextProtos = []string{ACMETLS1Protocol}
 
 	// Create the listener with the created tls.Config.
-	s.listener, err = tls.Listen("tcp", s.GetAddress(), tlsConf)
+	s.listener, err = tls.Listen(s.network, s.GetAddress(), tlsConf)
 	if err != nil {
 		return fmt.Errorf("could not start HTTPS server for challenge: %w", err)
 	}

challenge/tlsalpn01/tls_alpn_challenge_test.go

@@ -8,6 +8,7 @@ import (
 	"crypto/tls"
 	"encoding/asn1"
 	"net/http"
+	"os"
 	"testing"
 
 	"github.com/go-acme/lego/v4/acme"
@@ -18,6 +19,53 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestProviderServer_GetAddress(t *testing.T) {
+	dir := t.TempDir()
+	t.Cleanup(func() { _ = os.RemoveAll(dir) })
+
+	testCases := []struct {
+		desc     string
+		server   *ProviderServer
+		expected string
+	}{
+		{
+			desc:     "TCP default address",
+			server:   NewProviderServer("", "", ""),
+			expected: ":443",
+		},
+		{
+			desc:     "TCP with explicit port",
+			server:   NewProviderServer("", "4443", ""),
+			expected: ":4443",
+		},
+		{
+			desc:     "TCP with host and port",
+			server:   NewProviderServer("localhost", "4443", ""),
+			expected: "localhost:4443",
+		},
+		{
+			desc:     "TCP4 with host and port",
+			server:   NewProviderServer("localhost", "4443", Tcp4Network),
+			expected: "localhost:4443",
+		},
+		{
+			desc:     "TCP6 with host and port",
+			server:   NewProviderServer("localhost", "4443", Tcp6Network),
+			expected: "localhost:4443",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			address := test.server.GetAddress()
+			assert.Equal(t, test.expected, address)
+		})
+	}
+}
+
 func TestChallenge(t *testing.T) {
 	_, apiURL := tester.SetupFakeAPI(t)
 

cmd/setup_challenges.go

@@ -94,6 +94,16 @@ func setupHTTPProvider(ctx *cli.Context) challenge.Provider {
 }
 
 func setupTLSProvider(ctx *cli.Context) challenge.Provider {
+	var network tlsalpn01.ProviderNetwork
+	switch {
+	case ctx.IsSet("ipv4only") && ctx.IsSet("ipv6only"):
+		network = tlsalpn01.DefaultNetwork
+	case ctx.IsSet("ipv4only"):
+		network = tlsalpn01.Tcp4Network
+	case ctx.IsSet("ipv6only"):
+		network = tlsalpn01.Tcp6Network
+	}
+
 	switch {
 	case ctx.IsSet("tls.port"):
 		iface := ctx.String("tls.port")
@@ -106,9 +116,9 @@ func setupTLSProvider(ctx *cli.Context) challenge.Provider {
 			log.Fatal(err)
 		}
 
-		return tlsalpn01.NewProviderServer(host, port)
+		return tlsalpn01.NewProviderServer(host, port, network)
 	case ctx.Bool("tls"):
-		return tlsalpn01.NewProviderServer("", "")
+		return tlsalpn01.NewProviderServer("", "", network)
 	default:
 		log.Fatal("Invalid HTTP challenge options.")
 		return nil

e2e/challenges_test.go

@@ -212,7 +212,7 @@ func TestChallengeHTTP_Client_Obtain(t *testing.T) {
 	client, err := lego.NewClient(config)
 	require.NoError(t, err)
 
-	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", "5002"))
+	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", "5002", ""))
 	require.NoError(t, err)
 
 	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
@@ -250,7 +250,7 @@ func TestChallengeHTTP_Client_Registration_QueryRegistration(t *testing.T) {
 	client, err := lego.NewClient(config)
 	require.NoError(t, err)
 
-	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", "5002"))
+	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", "5002", ""))
 	require.NoError(t, err)
 
 	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
@@ -282,7 +282,7 @@ func TestChallengeTLS_Client_Obtain(t *testing.T) {
 	client, err := lego.NewClient(config)
 	require.NoError(t, err)
 
-	err = client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "5001"))
+	err = client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "5001", ""))
 	require.NoError(t, err)
 
 	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
@@ -325,7 +325,7 @@ func TestChallengeTLS_Client_ObtainForCSR(t *testing.T) {
 	client, err := lego.NewClient(config)
 	require.NoError(t, err)
 
-	err = client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "5001"))
+	err = client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "5001", ""))
 	require.NoError(t, err)
 
 	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})